feature: added support for 80 bytes key

Author: fbomlisboa

.travis.yml

@@ -0,0 +1,111 @@
+dist: bionic
+
+branches:
+  only:
+    - "master"
+
+os: linux
+
+language: c
+
+compiler:
+  - gcc
+
+addons:
+  apt:
+    packages:
+      - ack
+      - axel
+      - cpanminus
+      - libtest-base-perl
+      - libtext-diff-perl
+      - liburi-perl
+      - libwww-perl
+      - libtest-longstring-perl
+      - liblist-moreutils-perl
+
+cache:
+  directories:
+    - download-cache
+
+env:
+  global:
+    - JOBS=3
+    - NGX_BUILD_JOBS=$JOBS
+    - LUAJIT_PREFIX=/opt/luajit21
+    - LUAJIT_LIB=$LUAJIT_PREFIX/lib
+    - LUAJIT_INC=$LUAJIT_PREFIX/include/luajit-2.1
+    - LUA_INCLUDE_DIR=$LUAJIT_INC
+    - PCRE_VER=8.45
+    - PCRE_PREFIX=/opt/pcre
+    - PCRE_LIB=$PCRE_PREFIX/lib
+    - PCRE_INC=$PCRE_PREFIX/include
+    - OPENSSL_PREFIX=/opt/ssl
+    - OPENSSL_LIB=$OPENSSL_PREFIX/lib
+    - OPENSSL_INC=$OPENSSL_PREFIX/include
+    - LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
+    - TEST_NGINX_SLEEP=0.006
+  jobs:
+    - NGINX_VERSION=1.21.4 OPENSSL_VER=1.1.1s OPENSSL_PATCH_VER=1.1.1f
+
+before_install:
+  - sudo apt update
+  - sudo apt install --only-upgrade ca-certificates
+  - '! grep -n -P ''(?<=.{80}).+'' --color `find src -name ''*.c''` `find . -name ''*.h''` || (echo "ERROR: Found C source lines exceeding 80 columns." > /dev/stderr; exit 1)'
+  - '! grep -n -P ''\t+'' --color `find src -name ''*.c''` `find . -name ''*.h''` || (echo "ERROR: Cannot use tabs." > /dev/stderr; exit 1)'
+  - /usr/bin/env perl $(command -v cpanm) --sudo --notest Test::Nginx IPC::Run > build.log 2>&1 || (cat build.log && exit 1)
+  - pyenv global 2.7
+install:
+  - if [ ! -f download-cache/pcre-$PCRE_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre/${PCRE_VER}/pcre-${PCRE_VER}.tar.gz; fi
+  - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
+  - git clone https://github.com/openresty/test-nginx.git
+  - git clone https://github.com/openresty/openresty.git ../openresty
+  - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx
+  - git clone https://github.com/openresty/openresty-devel-utils.git
+  - git clone https://github.com/openresty/mockeagain.git
+  - git clone https://github.com/openresty/lua-resty-lock ../lua-resty-lock
+  - git clone https://github.com/openresty/lua-resty-memcached ../lua-resty-memcached
+  - git clone https://github.com/openresty/lua-resty-memcached-shdict ../lua-resty-memcached-shdict
+  - git clone https://github.com/openresty/lua-resty-shdict-simple ../lua-resty-shdict-simple
+  - git clone https://github.com/openresty/echo-nginx-module.git ../echo-nginx-module
+  - git clone https://github.com/openresty/nginx-eval-module.git ../nginx-eval-module
+  - git clone https://github.com/simpl/ngx_devel_kit.git ../ndk-nginx-module
+  - git clone https://github.com/FRiCKLE/ngx_coolkit.git ../coolkit-nginx-module
+  - git clone https://github.com/openresty/set-misc-nginx-module.git ../set-misc-nginx-module
+  - git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core
+  - git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache
+  - git clone https://github.com/spacewander/lua-resty-rsa.git ../lua-resty-rsa
+  - git clone https://github.com/openresty/lua-resty-string.git ../lua-resty-string
+  - git clone https://github.com/openresty/lua-nginx-module.git ../lua-nginx-module
+  - git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git luajit2
+
+script:
+  - export PATH=$PWD/work/nginx/sbin:$PWD/openresty-devel-utils:$PATH
+  - ngx-releng > check.txt || true
+  - lines=`wc -l check.txt | awk '{print $1}'`; if [ $lines -gt 5 ]; then cat check.txt; exit 1; fi
+  - sudo sysctl -w kernel.pid_max=10000
+  - cd luajit2/
+  - make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS='-DLUA_USE_APICHECK -DLUA_USE_ASSERT -msse4.2' > build.log 2>&1 || (cat build.log && exit 1)
+  - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
+  - cd ../mockeagain/ && make CC=$CC -j$JOBS && cd ..
+  - tar zxf download-cache/pcre-$PCRE_VER.tar.gz
+  - cd pcre-$PCRE_VER/
+  - ./configure --prefix=$PCRE_PREFIX --enable-jit --enable-utf --enable-unicode-properties > build.log 2>&1 || (cat build.log && exit 1)
+  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
+  - sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1)
+  - cd ..
+  - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
+  - cd openssl-$OPENSSL_VER/
+  - patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch
+  - ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
+  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
+  - sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
+  - cd ..
+  - export NGX_BUILD_CC=$CC
+  - sh util/build.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)
+  - nginx -V
+  - ldd `which nginx`|grep -E 'luajit|ssl|pcre'
+  - export LD_PRELOAD=$PWD/mockeagain/mockeagain.so
+  - export LD_LIBRARY_PATH=$PWD/mockeagain:$LD_LIBRARY_PATH
+  - export TEST_NGINX_RESOLVER=8.8.4.4
+  - /usr/bin/env perl $(command -v prove) -I. -Itest-nginx/lib -r t/

README.md

@@ -46,6 +46,9 @@ http {
 
             memc_conn_max_idle_time = 1 * 1000,  -- in ms, for in-pool connections,
                                                   -- optional, default to nil
+            key_length = 48   -- in bytes, optional, default 48, possible 80 if using with
+                              -- nginx > 1.12.0, any other values it will
+                              -- fallback to default length
         }
     }
 
@@ -61,6 +64,7 @@ http {
         # Put a dummy key to trigger external ticket key usage in nginx/OpenSSL
         # init_by_lua* will replace this dummy key with existing cached keys
         # or a random key if cached keys are not available.
+        # If key_length was set to 80 bytes in init_by_lua*, the dummy key needs to be 80 bytes too.
         ssl_session_ticket_key  dummy.key;
 
         ...

lualib/ngx/ssl/session/ticket.lua

@@ -23,9 +23,10 @@ ffi.cdef[[
 int ngx_http_lua_ffi_get_ssl_ctx_count(void);
 int ngx_http_lua_ffi_get_ssl_ctx_list(void **buf);
 int ngx_http_lua_ffi_update_ticket_encryption_key(void *ctx,
-     const unsigned char *key, unsigned int nkeys, char **err);
+     const unsigned char *key, const unsigned int nkeys,
+     const unsigned int key_length, char **err);
 int ngx_http_lua_ffi_update_last_ticket_decryption_key(void *ctx,
-     const unsigned char *key, char **err);
+     const unsigned char *key, const unsigned int key_length, char **err);
 ]]
 
 
@@ -61,14 +62,15 @@ function _M.update_ticket_encryption_key(key, nkeys)
     -- OpenSSL session ticket key is 48 bytes.
     -- key structure:
     -- 16 bytes key name, 16 bytes AES key, 16 bytes HMAC key.
-    if not key or #key ~= 48 then
+    if not key or (#key ~= 48 and #key ~= 80) then
         return nil, 'invalid ticket key'
     end
 
     for _, ctx in ipairs(ctxs) do
          local rc = C.ngx_http_lua_ffi_update_ticket_encryption_key(ctx,
                                                                     key,
                                                                     nkeys,
+                                                                    #key,
                                                                     errmsg)
          if rc ~= 0 then -- not NGX_OK
              return nil, ffi_str(errmsg[0])
@@ -88,13 +90,14 @@ function _M.update_last_ticket_decryption_key(key)
     end
 
     -- OpenSSL session ticket key is 48 bytes.
-    if not key or #key ~= 48 then
+    if not key or (#key ~= 48 and #key ~= 80) then
         return nil, 'invalid ticket key'
     end
 
     for _, ctx in ipairs(ctxs) do
          local rc = C.ngx_http_lua_ffi_update_last_ticket_decryption_key(ctx,
                                                                          key,
+                                                                         #key,
                                                                          errmsg)
          if rc ~= 0 then -- not NGX_OK
              return nil, ffi_str(errmsg[0])

lualib/ngx/ssl/session/ticket/key_rotation.lua

@@ -99,7 +99,7 @@ local function shdict_get_and_decrypt(ctx, idx)
     -- Ideally we should protect the ticket key with some encryption.
     -- key = decrypt(key, key_encryption_key)
 
-    if #key ~= 48 then
+    if #key ~= 48 and #key ~= 80 then
       return fail("malformed key: #key ", #key)
     end
 
@@ -132,7 +132,7 @@ local function memc_get_and_decrypt(ctx, idx, offset)
     -- Ideally we should protect the ticket key with some encryption.
     -- key = decrypt(key, key_encryption_key)
 
-    if #key ~= 48 then
+    if #key ~= 48 and #key ~= 80 then
       return fail("malformed key: #key ", #key)
     end
 
@@ -256,8 +256,14 @@ function _M.init(opts)
 
     local memc_conn_max_idle_time = opts.memc_conn_max_idle_time
 
+    local key_length = opts.key_length
+
     local frandom = assert(io.open("/dev/urandom", "rb"))
-    fallback_random_key = frandom:read(48)
+    -- if key_length is not set or is different from 48 or 80, use default 48 bytes
+    if not key_length or (key_length ~= 48 and key_length ~= 80) then
+        key_length = 48
+    end
+    fallback_random_key = frandom:read(key_length)
     frandom:close()
 
     nkeys = floor(ticket_ttl / time_slot) + 2

src/ngx_http_lua_ssl_module.c

@@ -183,7 +183,8 @@ ngx_http_lua_ffi_get_ssl_ctx_list(SSL_CTX **buf)
 
 int
 ngx_http_lua_ffi_update_ticket_encryption_key(SSL_CTX *ctx,
-    const unsigned char  *key, const ngx_uint_t nkeys,  char **err)
+    const unsigned char  *key, const ngx_uint_t nkeys,
+    const unsigned int key_length, char **err)
 {
 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
 
@@ -226,12 +227,25 @@ ngx_http_lua_ffi_update_ticket_encryption_key(SSL_CTX *ctx,
      * key. */
     if (keys->nelts > 0) {
         pkey = keys->elts;
-        if (ngx_memcmp(pkey->name, key, 16) == 0
-            && ngx_memcmp(pkey->aes_key, key + 16, 16) == 0
-            && ngx_memcmp(pkey->hmac_key, key + 32, 16) == 0)
-        {
-            dd("duplicate ticket key");
-            return NGX_OK;
+        if (key_length == 48) {
+            dd("key size is 48");
+            if (ngx_memcmp(pkey->name, key, 16) == 0
+                && ngx_memcmp(pkey->aes_key, key + 16, 16) == 0
+                && ngx_memcmp(pkey->hmac_key, key + 32, 16) == 0)
+            {
+                dd("duplicate ticket key");
+                return NGX_OK;
+            }
+
+        } else if (key_length == 80) {
+            dd("key size is 80");
+            if (ngx_memcmp(pkey->name, key, 16) == 0
+                && ngx_memcmp(pkey->aes_key, key + 16, 32) == 0
+                && ngx_memcmp(pkey->hmac_key, key + 48, 32) == 0)
+            {
+                dd("duplicate ticket key");
+                return NGX_OK;
+            }
         }
     }
 
@@ -255,13 +269,23 @@ ngx_http_lua_ffi_update_ticket_encryption_key(SSL_CTX *ctx,
     }
 
     /* copy the new key */
-    ngx_memcpy(pkey->name, key, 16);
-    ngx_memcpy(pkey->aes_key, key + 16, 16);
-    ngx_memcpy(pkey->hmac_key, key + 32, 16);
+    if (key_length == 48) {
+        ngx_memcpy(pkey->name, key, 16);
+        ngx_memcpy(pkey->aes_key, key + 16, 16);
+        ngx_memcpy(pkey->hmac_key, key + 32, 16);
 #if (nginx_version >= 1011008)
     pkey->size = 48;
 #endif
 
+    } else if (key_length == 80) {
+        ngx_memcpy(pkey->name, key, 16);
+        ngx_memcpy(pkey->aes_key, key + 16, 32);
+        ngx_memcpy(pkey->hmac_key, key + 48, 32);
+#if (nginx_version >= 1011008)
+    pkey->size = 80;
+#endif
+    }
+
     return NGX_OK;
 
 #else
@@ -275,7 +299,7 @@ ngx_http_lua_ffi_update_ticket_encryption_key(SSL_CTX *ctx,
 
 int
 ngx_http_lua_ffi_update_last_ticket_decryption_key(SSL_CTX *ctx,
-    const unsigned char *key, char **err)
+    const unsigned char *key, const unsigned int key_length, char **err)
 {
     ngx_array_t                        *keys;
     ngx_ssl_session_ticket_key_t       *pkey;
@@ -306,13 +330,23 @@ ngx_http_lua_ffi_update_last_ticket_decryption_key(SSL_CTX *ctx,
     pkey = &pkey[keys->nelts - 1];
 
     dd("replace the last key");
-    ngx_memcpy(pkey->name, key, 16);
-    ngx_memcpy(pkey->aes_key, key + 16, 16);
-    ngx_memcpy(pkey->hmac_key, key + 32, 16);
+    if (key_length == 48) {
+        ngx_memcpy(pkey->name, key, 16);
+        ngx_memcpy(pkey->aes_key, key + 16, 16);
+        ngx_memcpy(pkey->hmac_key, key + 32, 16);
 #if (nginx_version >= 1011008)
     pkey->size = 48;
 #endif
 
+    } else if (key_length == 80) {
+        ngx_memcpy(pkey->name, key, 16);
+        ngx_memcpy(pkey->aes_key, key + 16, 32);
+        ngx_memcpy(pkey->hmac_key, key + 48, 32);
+#if (nginx_version >= 1011008)
+    pkey->size = 80;
+#endif
+    }
+
     return NGX_OK;
 
 #else

t/cert/dummy-48.key

@@ -0,0 +1 @@
+׎�"��~���w�-L�W8�_a�.چE�J��7"�Y��7�Z��y�m��ٗ

t/cert/dummy-80.key

@@ -0,0 +1 @@
+��h�Vl|S��+����m��ԋ�L*��:����fiHc���c.}��9/O'P����H��ɩ�E3]�x$��񝥂��`

t/cert/test.crt

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGETCCA/mgAwIBAgIUE3pqyVuRQL+qGuSFAUCLq4g7pt4wDQYJKoZIhvcNAQEL
+BQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
+DA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlPcGVuUmVzdHkxEjAQBgNVBAsMCU9w
+ZW5SZXN0eTERMA8GA1UEAwwIdGVzdC5jb20xIDAeBgkqhkiG9w0BCQEWEWFnZW50
+emhAZ21haWwuY29tMB4XDTIyMDUyOTA2MTk1N1oXDTMyMDUyNjA2MTk1N1owgZcx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4g
+RnJhbmNpc2NvMRIwEAYDVQQKDAlPcGVuUmVzdHkxEjAQBgNVBAsMCU9wZW5SZXN0
+eTERMA8GA1UEAwwIdGVzdC5jb20xIDAeBgkqhkiG9w0BCQEWEWFnZW50emhAZ21h
+aWwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyLzMbnMBcxYB
+2W0uEqPKo2lOJdUQTnakipVLqRvZIJv7NkZgU76pxdFwoSxPpvJcpJ4rsosBZvhV
+dkGoKmuVfIFU0lYcdaccq88aT7E9XfTXiiyB2tkT6jS6wr+QxDj7KW47zdUBUT9O
+6ClNyY2o1gZldElTG0Bwk4j2sAkXuWGmyncTOJ4ge3mWVksAQYbL5pwfdfyqgDmK
+B4nLJHBkorLbF7nm7pK2HzQCtaEUJpQKpJdCULcOHrydjVAwHUQsZAb9XXjQWPTb
+A0BSplbgMSI6saT9uA2RjLBzpYKj8J1rWGadWteSyQAf6XooQrquTPuR+OWF6t/m
+2vkTcJlh1ukPPAPZBvlAQX9VSLWk5fmAQZA5BxYXNVWcMGVNO7UtilRmjqK1nCmv
+oyDXHzpE5RZPBZH4ecOqTscUgmS72ItPGWMtEtCQYbzWyMAa1cpCvK40YRa4814r
+XgffWgWJQfqyVvRjzpWIUiqwjUX3/p3W3pxX/GNHOv2ZH/pebcODOl7EFxzv5eQc
+z9vW5+RfiCSzs5bGG7qw58dMFROeAJbwR6t2o6GRd0HfgTTwSDcrrpcdLP/PaL+v
+twnrNa9r7rIwXnDWxYo3KiGpqEfG2WwW+lJsUzZOi9eI9kYPyvFmNFLugZbHMi+h
+ICCb8AQB2thON5X4N7FtP5GVfMR9vIkCAwEAAaNTMFEwHQYDVR0OBBYEFDEy866N
+WPHPTJKeL/96VYoczkINMB8GA1UdIwQYMBaAFDEy866NWPHPTJKeL/96VYoczkIN
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAHJgyS6/OyRqzqwd
++6DnntGV+MTo9WBNvNs/fekJghnrr85oG330GasYENQLi0wF20to7FMan2U9kwgV
+cbhDwe70JD0jg8htYof/uXOMBVWT4iZ+eXn60mP3iLsSutwt/drXBBzbxMYbUC12
+CIiadkV8aMPIN6oGnF7TLF4AvBqYYp2qAVGXr/ZQm3L7NPB0jkSktSe6obnaq1tO
+ug18ImhzAqkn1UGnLRiTADOba5HuKtovwWtLblNBODdnv1E7IK1A6jpqwiYjlbU5
+4v9ZzFzEJw+GqYHkTRmJGCA2Uw7HNEUFeno1BTp19Ce9fvrkofTWYmLp/NAvEp6E
+aFnBdCjY4tWzI2Iig7IjDIM7F6igGODybeN9ijD7oSyEDtNE7ECLSuXhgekiQJ8c
+NYALgbbNPxWx8zJcNiYy1NDYdIjO5vYFOpbn+rQObKVCX/X+Al9fT126ciTT1xAF
+fZtkGPpp3Wjgws9UDSzetvWHYt0Rs70m351LFPHyR4tQLHoDFqnA2buG/mSvKZ9U
+to0JQ/8QPRIYv0FUJcF0+/xQRYrIqvmjiCpfL2hwJyRViq7f8z0/tmMoLxFlPo/k
+GC+gvh3WwTB622h9JEqS48lllcYZIQWOX2mbFtUtNFdzUtSRmZMa8RmcYr5So2OH
+9QLIIjC6ntPFjWq+uLJAJ8uazRt7
+-----END CERTIFICATE-----